LEARNING OBJECTIVES

1. Describe the importance of information security to organizacions, and how information represents a
critical asset in today's business organizations.

2. Discuss recent technologies that are revolutionizing organizations' IT environments and the significance of
implementing adequate security to prorect the information.

3. Discuss information security threats and risks, and how they represent a constant challenge to information
systems.

4. Describe relevant information security standards and guidelines available for organizations and auditors.
5. Explain what an information security policy is and illustrate examples of its content.
6. Discuss roles and responsibilities of various information system groups within information security,
7. Explain what information security controls are, and theit importance in safeguarding the information.
8. Describe the significance of selecting, implementing, and testing information security controls.
9. Describe audit involvement in an information security control examination, and provide reference
information on tools and best practices to assist such audits.
Information Security
Information is a critical asset. Organizations rely on reliable
and secure information to thrive. While security investments
offer protection and prevent devastating consequences,
many organizations underinvest in this area. Effective
information security aligns with strategic business
objectives, ensuring confidentiality, integrity, and
availability.
by Maricar Ranollo
Confidentiality, Integrity, and
Availability
Confidentiality
Protecting information from unauthorized access to maintain
organizational image and comply with privacy laws. Risks include
security breaches leading to data disclosure.

Integrity
Ensuring the correctness and completeness of information for quality
decision-making. Risks involve unauthorized access, resulting in
corrupted information and fraud.

Availability
Maintaining information systems to support business processes for
operational efficiency. Risks include system disruptions, transaction loss,
and system crashes.
Revolutionizing IT: ERP Systems
ERP Growth Benefits Challenges

Enterprise Resource Planning ERPs reduce storage costs and ERP modifications require
(ERP) systems are projected to increase data consistency by extensive programming.
reach $84.1 billion by 2020, up allowing multiple functions to Organizations may need to
from $62.1 billion in 2015. ERP access a common database. adapt business operations to
integrates business functions match vendor processes,
into a unified IT environment. potentially impacting culture
and incurring training costs.
Cloud Computing's
Impact
Key Trend
Cloud computing significantly shapes business, with
organizations using it for critical processes. It's a key
trend driving business strategy.

Projected Growth
Cloud computing is predicted to grow at 19.4%
annually over the next 5 years, becoming a dominant
factor for private companies.
Mobile Device Management
(MDM)
MDM Defined
MDM manages and administers mobile devices provided to
employees, ensuring integration and compliance with
policies.

Data Protection
MDM protects corporate information and configuration
settings on all mobile devices within the organization.

BYOD
Employees can use organization-provided mobile devices
for work and personal reasons (BYOD), requiring monitoring
and control.
Information Security Threats and Risks
Data Tampering Asset Theft Information Classification
Computer hackers and Data communication systems Organizations categorize
employees can tamper with can be used to steal assets with information to determine
data, destroying information and the touch of a few keys. protection levels based on legal,
introducing fraudulent records. regulatory, or national security
reasons.
Techniques Used to Commit Cybercrimes
Spamming & Spoofing & Denial-of-Service Malware &
Phishing Pharming Spyware
Denial-of-service
Spamming sends Spoofing creates fake attacks flood networks Malware damages
disruptive messages. websites. with useless traffic, systems.
disabling them.
Phishing scams trick Pharming redirects Spyware tracks and
users into revealing users to fraudulent transmits user data
personal information. sites. without their
knowledge.
Denial-of-Service Attack Distributed Denial-of- Viruses
Service
Overwhelms a network with Self-reproducing code that
useless traffic, causing it to Uses coordinated attacks from attaches to programs,
crash. many computers, often via spreading rapidly.
worms.

Trojan Horse Worm

Malicious code hidden inside a seemingly Self-replicating code that consumes memory and
harmless program, leading to data loss. slows systems, impacting processing.
Information Classification Roles and Responsibilities

Classify information based on legal, regulatory, or Information security requires team effort. Every
national security reasons. This helps determine user has a role in protecting information and
protection levels. systems.
Information Security Controls
Vulnerability
Threat Management
Management
Virus protection, spam control,
Identifying, valuing, and
intrusion detection, and
remediating weaknesses in IT
security event management.
assets and processes.

Identity Management Trust Management

Determining who has access to Encryption and access controls
what in an organization. to ensure data protection.
Incident Management and Control
Selection
Incident Management Control Selection

• Identify and record incidents Adequate selection of information security

• Report to a focal point controls is crucial for maintaining sound
information security and protecting financial
• Prioritize for action
assets. Weaknesses can lead to fraud, security
• Analyze and act upon
deficiencies, and breaches.